Sudo could be made to run commands as root

Oct 15, 2019 08:57 GMT  ·  By

The Debian Project and Canonical were quick to patch a critical security vulnerability that affected the sudo program, which lets users run programs with the security privileges of another user, urging users to update their systems immediately.

Discovered by Joe Vennix, the security vulnerability (CVE-2019-14287) could be exploited by an attacker to execute arbitrary commands as the root user (system administrator) because sudo incorrectly handled certain user IDs when it was configured to allow users to run commands as an arbitrary user through the ALL keyword in a Runas specification.

"Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID- -1 or 4294967295," reads Debian's security advisory.

Update your systems as soon as possible

Both the Debian Project and Canonical urge users to update their Debian GNU/Linux and Ubuntu systems as soon as possible to the new sudo version that's patched against this security vulnerability and already available in the main software repositories of all supported Debian GNU/Linux and Ubuntu releases.

Therefore, Ubuntu 19.04 users must update to sudo 1.8.27-1ubuntu1.1, Ubuntu 18.04 LTS users to sudo 1.8.21p2-3ubuntu1.1, Ubuntu 16.04 LTS users to sudo 1.8.16-0ubuntu1.8, Ubuntu 14.04 ESM users to sudo 1.8.9p5-1ubuntu1.5+esm2, Ubuntu 12.04 ESM users to sudo 1.8.3p1-1ubuntu3.8, Debian GNU/Linux 9 "Stretch" users to sudo 1.8.19p1-2.1+deb9u1, and Debian GNU/Linux 10 "Buster" users to sudo 1.8.27-1+deb10u1.

Of course, several other popular GNU/Linux distributions, including Arch Linux, Slackware, and OpenSuSE, have updated the sudo packages in their software repositories to patch this critical vulnerability, as well as several other issues resolved in the sudo 1.8.28 release, which you can also download right now through our free software portal.